XSS via svg fileupload : Subrion CMS v 4.2.1

[security-breachlock]

Affected software: Subrion CMS v 4.2.1

Type of vulnerability: XSS via svg fileupload

URL: https://subrion.org/

Discovered by: BreachLock

Website: https://www.breachlock.com

Author: Balvinder Singh

Description: SVG files can contain Javascript in <script> tags. Browsers are smart enough to ignore scripts embedded in SVG files included via IMG tags. However, a direct request for an SVG file will result in the scripts being executed.
So an embedded SVG as an attachment in an issue or avatar does not execute the code, but if a user clicks on the attachment the code will execute.

Proof of concept:

Step1: Login into the subrion using the admin role.
Step2: In the uploads choose file upload and upload a malicious SVG file.
Step3: Now open that file which was saved as 1.svg the below output will be shown.
URL Where XSS got executed.
http://localhost/subrion_cms_4.2.1/uploads/1%20-%20Copy.svg?_t=1534094451

Vulnerable URL: http://localhost/subrion_cms_4.2.1/panel/uploads/#elf_l1_XA

[security-breachlock]

Hi,

Thanks for your positive response,

Did you use CVE ID to track these bugs?

Looking forward to hearing from you.